You can actually separate the concept of the valid user from the session state somewhat (at least making it something you don't have to actively maintain). If you look at the servlet spec in the Security chapter, there are a few useful methods that may help in doing what you are trying to do. These include the getRemoteUser() method, to get the user name, and the isUserInRole() method, to check to see if a user is a member of a certain role. You can use these methods in your code to programmatically check a user's security info to decide if they can do something.
You can also use declarative security, which allows you to declare the security info in the deployment descriptor. This allows you to keep the security logic out of your code, but isn't quite as flexible (you can't have a servlet that processes things differently based on user role, for instance). A combination of both may be the way to go.
Along with this, I would take a look at the Authentication information in the Security chapter. You may be able to use something like form-level authorization to allow the app server to handle actually authenticating the user account.
To get more specific than this, you will need to look at the documentation that comes with your app server. While the method to declare the roles used in servlets/beans is defined in the spec, the actual methods used to map user accounts and roles to real security systems (like LDAP directories or databases) are specific to each app server. Because of this, you will probably need to configure the app server based on your application requirements (mapping roles to LDAP groups, for instance). Example info on this for weblogic 6.1 is here: http://e-docs.bea.com/wls/docs61/webapp/security.html
You could also just write the security stuff yourself, but I think once you get it going using the app server functionality should be easier to maintain and use throughout the app.
Hope this helps.